{"api_version":"1","generated_at":"2026-05-07T03:16:52+00:00","cve":"CVE-2026-43067","urls":{"html":"https://cve.report/CVE-2026-43067","api":"https://cve.report/api/cve/CVE-2026-43067.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43067","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43067"},"summary":{"title":"ext4: handle wraparound when searching for blocks for indirect mapped blocks","description":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n   group was populated via stream allocation from s_mb_last_groups),\n   then start will be >= ngroups.\n\n   Does this allow allocating blocks beyond the 32-bit limit for\n   indirect block mapped files? The commit message mentions that\n   ext4_mb_scan_groups_linear() takes care to not select unsupported\n   groups. However, its loop uses group = *start, and the very first\n   iteration will call ext4_mb_scan_group() with this unsupported\n   group because next_linear_group() is only called at the end of the\n   iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped.  To address this, add a safety clamp in\next4_mb_scan_groups().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-05 16:16:15","updated_at":"2026-05-06 13:08:07"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930","name":"https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1","name":"https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29","name":"https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c","name":"https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503","name":"https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f","name":"https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43067","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43067","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9d89b9d55e25cb340c5b4b769876edc551b7a9ff f89bba144938921a2249237ad04a0183ff3f8930 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1b0edd6022a3f44ce87fea9959a9310f4628fbea 83170a05908b6cf2fb3235d3065bf613ff866f3c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9eea2f57d11b30049ff996ac3eff6e0dc8089e5f 4bec4a498ce86314d470ae6144120461f2138c29 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 34c803edc0b3365a42efcf9815acab63b4cf54e0 12624c5b724a81e14e532972b40d863b0de3b7d1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 321ed8d559c951e71ad2d2d69a4cf0445644e865 2a368ccddfc492a0aa951e2caef2985f20e96503 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4865c768b563deff1b6a6384e74a62f143427b42 bb81702370fad22c06ca12b6e1648754dbc37e0f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16fce6b6c0b247258c6c217fce5a48abf50f6964 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.167 6.1.168 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.130 6.6.134 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.77 6.12.80 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18.14 6.18.21 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19.4 6.19.11 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/mballoc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"f89bba144938921a2249237ad04a0183ff3f8930","status":"affected","version":"9d89b9d55e25cb340c5b4b769876edc551b7a9ff","versionType":"git"},{"lessThan":"83170a05908b6cf2fb3235d3065bf613ff866f3c","status":"affected","version":"1b0edd6022a3f44ce87fea9959a9310f4628fbea","versionType":"git"},{"lessThan":"4bec4a498ce86314d470ae6144120461f2138c29","status":"affected","version":"9eea2f57d11b30049ff996ac3eff6e0dc8089e5f","versionType":"git"},{"lessThan":"12624c5b724a81e14e532972b40d863b0de3b7d1","status":"affected","version":"34c803edc0b3365a42efcf9815acab63b4cf54e0","versionType":"git"},{"lessThan":"2a368ccddfc492a0aa951e2caef2985f20e96503","status":"affected","version":"321ed8d559c951e71ad2d2d69a4cf0445644e865","versionType":"git"},{"lessThan":"bb81702370fad22c06ca12b6e1648754dbc37e0f","status":"affected","version":"4865c768b563deff1b6a6384e74a62f143427b42","versionType":"git"},{"status":"affected","version":"16fce6b6c0b247258c6c217fce5a48abf50f6964","versionType":"git"}]},{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/mballoc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"6.1.168","status":"affected","version":"6.1.167","versionType":"semver"},{"lessThan":"6.6.134","status":"affected","version":"6.6.130","versionType":"semver"},{"lessThan":"6.12.80","status":"affected","version":"6.12.77","versionType":"semver"},{"lessThan":"6.18.21","status":"affected","version":"6.18.14","versionType":"semver"},{"lessThan":"6.19.11","status":"affected","version":"6.19.4","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"6.1.167","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.134","versionStartIncluding":"6.6.130","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"6.12.77","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"6.18.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"6.19.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.203","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n   group was populated via stream allocation from s_mb_last_groups),\n   then start will be >= ngroups.\n\n   Does this allow allocating blocks beyond the 32-bit limit for\n   indirect block mapped files? The commit message mentions that\n   ext4_mb_scan_groups_linear() takes care to not select unsupported\n   groups. However, its loop uses group = *start, and the very first\n   iteration will call ext4_mb_scan_group() with this unsupported\n   group because next_linear_group() is only called at the end of the\n   iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped.  To address this, add a safety clamp in\next4_mb_scan_groups()."}],"providerMetadata":{"dateUpdated":"2026-05-05T15:23:26.717Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930"},{"url":"https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c"},{"url":"https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29"},{"url":"https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1"},{"url":"https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503"},{"url":"https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f"}],"title":"ext4: handle wraparound when searching for blocks for indirect mapped blocks","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43067","datePublished":"2026-05-05T15:23:26.717Z","dateReserved":"2026-05-01T14:12:55.981Z","dateUpdated":"2026-05-05T15:23:26.717Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 16:16:15","lastModifiedDate":"2026-05-06 13:08:07","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43067","Ordinal":"1","Title":"ext4: handle wraparound when searching for blocks for indirect m","CVE":"CVE-2026-43067","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43067","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n   group was populated via stream allocation from s_mb_last_groups),\n   then start will be >= ngroups.\n\n   Does this allow allocating blocks beyond the 32-bit limit for\n   indirect block mapped files? The commit message mentions that\n   ext4_mb_scan_groups_linear() takes care to not select unsupported\n   groups. However, its loop uses group = *start, and the very first\n   iteration will call ext4_mb_scan_group() with this unsupported\n   group because next_linear_group() is only called at the end of the\n   iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped.  To address this, add a safety clamp in\next4_mb_scan_groups().","Type":"Description","Title":"ext4: handle wraparound when searching for blocks for indirect m"}]}}}